GOLD SOUTHFIELD
Objectives
Tools
SUMMARY
GOLD SOUTHFIELD was a financially motivated cybercriminal threat group that authored and operated the REvil (aka Sodinokibi) ransomware on behalf of various affiliated threat groups. Operational from April 2019 to January 2023, the group obtained the GandCrab source code from GOLD GARDEN, the operators of GandCrab that voluntarily withdrew their ransomware from underground markets in May 2019. GOLD SOUTHFIELD was responsible for authoring REvil and operating the backend infrastructure used by affiliates (also called partners) to create malware builds and to collect ransom payments from victims. CTU researchers assess with high confidence that GOLD SOUTHFIELD is a former GandCrab affiliate and continues to work with other former GandCrab affiliates.
REvil partners were recruited on semi-exclusive underground forums by the Russian-speaking operators of GOLD SOUTHFIELD, who refuse to work with English-speaking criminals. A limited number of partnerships were offered, with preference given to those able to perpetrate high-value deployments impacting entire organizations. GOLD SOUTHFIELD's affiliates distributed ransomware through a variety of means including exploit kits, scan-and-exploit attacks, publicly-accessible RDP and remote management and monitoring (RMM) servers, and backdoored software installers. In December 2019, GOLD SOUTHFIELD began operating a name-and-shame style website that uses stolen data from intrusions to generate additional leverage against victims.
From 2019 through 2021 GOLD SOUTHFIELD operated one of the most active ransomware-as-a-service operations in the cybercriminal ecosystem. The operation ceased in October 2021 only to return in April 2022, likely at the direction of new principals. REvil never regained anything approaching the volume of attacks achieved during their peak years. In October 2022, GOLD SOUTHFIELD worked with an affiliate to publish data stolen from an Australian healthcare organization but ransomware was not used in the attack. GOLD SOUTHFIELD's infrastructure ceased operation in early January 2023.
In June 2023, a coalition of Russia-aligned hacktivists groups, including KillNet and Anonymous Sudan, announced intentions to attack the European banking system. In their announcement they claimed a partnership with former REvil threat actors who intended to participate in the attacks. No evidence was provided to substantiate any link to past GOLD SOUTHFIELD principals or affiliates and is likely an attempt to capitalize on the well-known REvil brand.
Threat Analysis
REvil/Sodinokibi RansomwareContact Us
Contact us directly whether your organization needs immediate assistance or you want to discuss your incident readiness, response, and testing needs.